Global Views on Internet Laws: Data Protection, US Privacy, and Government Data Access, Slides of Computer Science

Download Global Views on Internet Laws: Data Protection, US Privacy, and Government Data Access and more Slides Computer Science in PDF only on Docsity!

International Perspectives on

Internet Legislation

Outline

• Data Protection Act 1998

 US Privacy Laws

• Government access to data

 Regulation of Investigatory Powers Act 2000  US PATRIOT Act 2001  Data Retention

• E-Commerce Regulations

 Copyright Infringement  Deep Linking, Brands and other web-page issues

• Crime and policing

 Phishing  Politics  International Policing

Data Protection Act 1998

• Overriding aim is protect the interests of (and avoid risks to)

the Data Subject

 differs from US “privacy protection” landscape

• Data processing must comply with the eight principles (as

interpreted by the regulator)

• All data controllers must “notify” (£35) the Information

Commissioner (unless exempt)

 exemptions for “private use”, “basic business purposes” (but not CCTV) : see website for details

• Data Subjects have a right to see their data

US Privacy

• US approach is sector specific (and often driven by specific

cases) For example:

 privacy of mail (1782, 1825, 1877)  privacy of telegrams (state laws in the 1880s)  privacy of Census (1919)  Bank Secrecy Act 1970 (requires records kept!)  Privacy Act 1974 (regulates the Government)  Cable Communications Policy Act 1984 (viewing data)  Video Privacy Protection Act 1988 (purchase/rentals)  Telephone Consumer Protection Act 1991 (DNC in 2003)  Driver’s Privacy Protection Act 1994 (license data)

Sarbanes-Oxley

• US Federal Law (Public Company Accounting Reform and

Investor Protection Act of 2002)

 introduced after Enron/WorldCom/etc scandals

• Public companies have to evaluate and disclose the

effectiveness of their internal controls as they relate to financial

reporting

• Auditors required to understand & evaluate the company

controls

• Companies now have to pay much more attention to data

retention and data retrieval

Security Breach Disclosure

• California State Law SB1386 (2002) updated by AB1950 (2004)

 must protect personal data  if disclosed then must tell individuals involved

• Now taken up by 46 (of 50) states & talk of a Federal Law (for

harmonisation)

 early on had a dramatic impact, now (100 million disclosures later) becoming part of the landscape  no central reporting (so hard to track numbers)  some disclosures look like junk mail!

• EU has a sector-specific provision for telcos/ISPs and may

extend this when the Data Protection Directive is revised

RIP Act 2000 – Encryption

• Basic requirement is to “put this material into an intelligible

form”

 can be applied to messages or to stored data  you can supply the key instead  if you claim to have lost or forgotten the key or password, prosecution must prove otherwise

• Keys can be demanded

 notice must be signed by Chief Constable  notice can only be served at top level of company  reasoning must be reported to commissioner

• Specific “tipping off” provisions may apply

Electronic Communications Act 2000

• Part II – electronic signatures

 electronic signatures “shall be admissible in evidence”  creates power to modify legislation for the purposes of authorising or facilitating the use of electronic communications or electronic storage  not as relevant, in practice, as people in the “dot com bubble” thought it would be. Most systems continue to use contract law to bind people to commitments.

• Remaining parts of EU Electronic Signature Directive were

implemented as SI 318(2002)

Data Retention

• European Directive passed in 2005 (in record time, following

attacks in Madrid & London)

• Done under 1st^ pillar (internal market) rather than 3 rd^ pillar

(police/judicial co-operation)

• Wording of Directive makes little technical sense – and is

therefore being implemented haphazardly and inconsistently.

• UK transposed this in April 2009

 only applies to you if Home Office sends you a notice  notices supposed to be sent to all (public) CSPs

• Directive is currently being reviewed

E-Commerce Law

• Distance Selling Regulations (2000)

 remote seller must identify themselves  details of contract must be delivered (email is OK)  right to cancel (unless service already delivered)  contract VOID if conditions not met

• E-Commerce Directive (2002)

 restates much of the above  online selling and advertising is subject to UK law if you are established in the UK – whoever you sell to  significant complexities if selling to foreign consumers if you specifically marketed to them

Copyright Material

• US has the DMCA “safe harbor” so that hoster is immune until

notified then must remove; but user may “put back”

 DMCA is very prescriptive about take-down and put-back notices

• EU has eCommerce Directive and a “hosting” immunity – which

User Generated Content might (or might not) qualify for

 hoster immune until they have “actual knowledge”  related immunities are “mere conduit” and “cacheing”

• Under the UK’s Digital Economy Act 2010 there is to be

“graduated response” to notification of file sharing

infringements

 it is envisaged that only a court will grant access to customer details (or of course a police officer can serve RIP paperwork)  similar initiatives elsewhere (France: Hadopi), but not yet? in US

Deep Linking

• Deep Linking is the term for pointing at specific pages on

another website rather than the top level.

• Courts generally rule against this when “passing off”

 1996 Shetland Times v Shetland News (UK) settled  1997 TicketMaster v Microsoft (US) settled  2000 TicketMaster v tickets.com (US) allowed [since clear]  2006 naukri.com v bixee.com (India) injunction  2006 HOME v OFiR (Denmark) allowed [not a database]  2006 SFX motor sports v supercrosslive (Texas) injunction  2007 Copiepresse Press v Google (Belgium) forbidden

Brand Names

• Significant protection for brands in domain names

 Uniform Dispute Resolution Protocol for brand owners  mikerowesoft.com settled, microsuck.com survived…  US: 1999: Anticybersquatting Consumer Protection Act  US: 2003: Truth in Domain Names Act

• Using other people’s brand names in meta-tags doesn’t usually

survive legal challenge

• Many US rulings on “adwords” now occurring; if you just buy

keyword then you may well be OK, but definite risk of problems

if use trademarks in ad copy, or on landing page

 NB Google has its own rules as well

• Germany, UK, Austria following US line, France is not, but ECJ

have followed the US approach which should harmonise things

Politics & Terrorism

• Mainstream politics is following the extremists onto the web

 especially Obama’s fundraising (but Howard Dean did it first)

• Many issues arise on content

 defamation, incitement, anti-terror laws

• Raising money raises lots of issues for political parties, for

example in the UK:

 need to know identity if amount over £  need to report if over £5000 (or even £1000)  need to identify “permissible donors”  raising money for terrorism forbidden (!)